Securing Weblogic Web servcies with OWSM Policies

In this blog, I will introduce OWSM policy with a simple example. I will show how to develop WLS JAX-WS Web service and its client proxy, and how to attach OWSM security policies to them at development time for security, using Oracle JDeveloper. Find out in general how Oracle Fusion Middleware secures Web services and clients and general information about OWSM policies.


Software Download and Installation


                             1.        Download Oracle JDeveloper 11g:

Go to

and download “Oracle JDeveloper 11g ( (Build 6013) Installations”.  This version of JDeveloper download includes Weblogic server and SOA suite. SOA suite contains OWSM.

                             2.        Install JDeveloper.

                             3.        Starting JDeveloper. From View, open Application Server Navigator. Then click the Application Servers in the left pane.

                             4.        Choose IntegratedWeblogicServer and Enable default Weblogic server domain.

                             5.        To start Weblogic server, right click IntegratedWeblogicServer and click start server instance.

                Use Case: Enforcing OWSM security policy on WLS JAXWS through Oracle JDeveloper


                            1.        Developing WebLogic Web services and attaching OWSM policy to it


1.1  Create Web service:

1)    Create a new application by right click under Application view and then selecting option "New"

2)    Specify application name, for example "Application".

3)    Then it will ask you for Project name, for example "PingProject"

4)    Select a correct Project Technology from "Project Technologies" tab. For Web service development you need to select "Web Services"

5)    Now click on "Finish". You will find a project with name "PingProject" in left pane.

6)    Now add a new Java Class in this project, which will be exposed as a Web service. Again select option "New" by right-click under Project pane. Now choose "Java Class" option.

7)    Click on OK, It will ask for class details

8)    Specify class name whichever you want, say "Ping". Click on OK, Class details will be displayed in the middle pane.

9)    Add a method "ping".

10) Now you are ready to expose this class as a Web service. Select the class and right click on it. Then select an option "Create Web Service"

11) It will ask you for the type of web service. Select Java EE1.5, with support for JAX-WS Annotation

12) Click on "Next" button. It will show you port details.

13) Then click on "Next". It will show you "Message Format". Default checked option will be "SOAP 1.1 Binding".

14) Click on "Next" button. It will give you an option to expose a method for Web service

15) Then click on "Next".


1.2  Attach OWSM policy:

16) Now you can specify OWSM policies for the security of the messages:

ü Choose option OWSM Policies.

ü Then it will show you a list of available out of box OWSM policies. Select a proper combination of policies and then click on "OK". For demo purpose, we choose oracle/wss_username_token_service_policy for this exercise.

ü Late on we will show how to manage and configure policies with Oracle Enterprise Manager. Check here for more information about OWSM policies.

17) Click on Finish to complete the wizard.


1.3  Build and deploy the Web service:

18) Right click the “PingProject”. Then click “Deploy”.

19) Choose “Deploy to Application Server”.

20) Click “Next”, and then choose “IntegratedWeblogicServer”.

21) Open http://localhost:7101/PingApplication-Ping-context-root/PingPort?wsdl in a browser to see the wsdl of the service.


                             2.        Developing Web Service client and attaching OWSM policy:


2.1  Create Web service client

1)    Create a new project by name PingClientProject. Select “Java” in the available technologies.

2)    Select project then right click on it and select option "New".

3)     Select "Business Tier ->Web Service->Web Service Proxy". Click on OK, then "Next".

4)     Select JAX-WS style and then click on "Next"

5)    Specify WSDL URL (http://localhost:7101/PingApplication-Ping-context-root/PingPort?wsdl)

and then click on Next.

6)    Specify package name

7)    Click on "Next". Select the compatible OWSM client policy: oracle/wss_username_token_client_policy

8)    Click on "Next". It will prompt you for adding handlers. Simply click on "Next".


2.2  Configure Security

9)    Add client side properties:

               wss_username_token_client_policy requires user name and password to be sent as part of security header.

               ((BindingProvider) port).getRequestContext().put(BindingProvider.USERNAME_PROPERTY,      
              ((BindingProvider) port).getRequestContext().put(BindingProvider.PASSWORD_PROPERTY,      

10)   So the code will be like:

        SecurityPoliciesFeature securityFeatures =

             new SecurityPoliciesFeature(new String[] { "oracle/wss11_username_token_with_message_protection_client_policy" });

        Ping ping = pingService.getPingPort(securityFeatures);


        // add usernam, passoord

        ((BindingProvider) ping).getRequestContext().put(BindingProvider.USERNAME_PROPERTY,     


        ((BindingProvider) ping).getRequestContext().put(BindingProvider.PASSWORD_PROPERTY,     



        // call the desired methods.

        String resp ="hello"

        System.out.println("Ping response: "+ resp);


2.3  Run the client

11)   Run the client


In upcoming blogs, I will focus on Oracle infrastructure Web services and how to managing security and policies with OWSM.




I'm using <security-constraint> in web.xml to secure wsdl url. Since the user/password from web service client is checked before my web service endpoint is hit, how can I view the user/password that the web service client uses in a log file?
Raising log level to debug in my web service implementation class does not help, because the service request is denied (if wrong user/passwd) by weblogic.
Thanks in advance for the help.

Posted by guest on August 25, 2011 at 09:37 AM PDT #

Post a Comment:
  • HTML Syntax: NOT allowed



« December 2016